Do you use email encryption?

by Jochen Wolters

In what is easily the most concise tutorial I've seen on this topic so far, Melvin Rivera explains how to enable support for email signing and encryption in Mail.app. All that's required for basic encryption is to request a personal security certificate and add this to your Mac's keychain. No need to install additional software or configure anything, as Mail and Address Book support these features out of the box.

Its underlying basics like the concept of public-key cryptography haven't changed, but email encryption has come a long way in terms of usability: add that certificate to your keychain, and encrypting your emails is as easy as clicking a button. That's a big change from the early command-line tools, and it makes encryption accessible even to less experienced users. Why, then, is it that so few people actually encrypt their emails?

Consider this: as you may know, standard email is sent along the Internet as plain text, so that anyone with access to one of the computers along which that email travels from sender to recipient could theoretically read what you're sending. The often-used comparison between an email and a postcard is very appropriate. In the analog world, though, we tend to prefer mailing a letter in a sealed envelope unless we send greetings from our far-away vacations, in which case postcards come in handy to make even the postman envious...

"Postcards" in the digital realm, envelopes in the real world. Where does this discrepancy come from? How about you, dear reader: do you use email encryption? If so, what kind of encryption (i.e., PGP, GPG, S/MIME, ...) are you using, and which kinds of messages do you encrypt? And how many of your friends use encryption, too? If you do not use email encryption: is there a specific reason — like difficulty-of-use, lack of trust in the system, etc. — that keeps you from doing this?

Let's find out what it takes to make email encryption more popular. Or is it already more popular than I think?

32 Comments

Andrew
2007-03-08 08:20:47

I use GPGMail plugin. None of the people I email regularly use encryption so the only time I actually use it is when I'm sending email to myself (e.g.e from home to work or vice-versa). In that case it gets encrypted and decrypted automatically so it costs me no time or effort to do.

I keep thinking about setting the default to digitally sign my emails, but then I think of all of the explaining I would have to do...

CBrachyrhynchos
2007-03-08 08:28:22

I spent about a month digitally signing my mail messages but got too many complaints from recipients who didn't understand it, and didn't see a need for it.

mycroft
2007-03-08 08:35:00

I use GPG with my friends who have email encryption software. But there are not many of them.

PGP for Mac OS X is expensive. Although the 8.x version worked well the 9.x version is buggy and has some ill-considered changes. Unfortunately, if you are using OS 10.4 you must use PGP 9.

I currently use GnuPG with 10.4, but it is not the easiest to use. There isn't an integrated suite of GUI tools, there is a collection of tools created by different developers some of which haven't been updated in years. The GPG Mail.app integration bundle provided by Sen:te (www.sente.ch) works great, but the GPGPreferences preference pane app will not work on an Intel Mac.

I know things are much better, on Gnu/Linux with Evolution, KMail and Thunderbird. We really need a well-done, integrated, GUI suite for GPG for Mac.

Josh Peters
2007-03-08 08:37:43

I also use GPGMail for encrypting and signing my mail. I've used S/MIME (thanks to a free cert from Thawte) but ended up going with GPG in the end due to the support for it in Microsoft Outlook (which is what I use at work).

@Andrew: I've been signing my mail to varying degrees of technically inclined individuals and haven't been asked about it yet.

FYI, my key ID is 0xB5E9664D

Josh Peters
2007-03-08 08:52:23

To make email encryption more popular it needs to be packaged as a default. Mozilla Thunderbird should include the EnigMail extension and have it on by default (and make it nicer for anyone to jump in and use). Google could also foster adoption by allowing people to use GPG with their email.

I see two big obstacles for the use of encryption in email: the learning curve for setup and the lack of good interfaces. It's difficult to manage keys with GPG (not impossible, I do it enough to satisfy me, but it's definitely not an easy task). The issues of trust and key signing need to be more clearly spelled out so that end users can have a better understanding of what's going on.

There is a huge learning curve to set up GPG (or to obtain a certificate from a vendor like Thawte). These need to become friendlier. One good way to do this is to adopt good defaults (that the more experienced users can override). There are too many questions to answer for an encryption newbie to handle which limits the usefulness overall. Installing a plugin like EnigMail should by default create a key for use (unless the user already has a key and tells the installer so). Signing should be on by default, as it doesn't take away from the usefulness of email for non-encryption-enabled users (and perhaps a little change to how a signature is provided would be good here too: if GMail adopts encryption I wouldn't be surprised if the signature portion of a message included a link to a page describing how signing email helps to combat spam etc.)

Finally on OSX, Apple needs to formalize the APIs that the GPGMail plugin takes advantage of. It will be a sad day when Apple breaks the API that GPGMail uses (and please don't let it be in 10.5!). Just like Microsoft Vista's PatchGuard closing old, undocumented, super-useful APIs to third parties, Apple will eventually get around to closing things down. Unless a formal Mail.app extension API is offered that allows GPGMail to function my bets are hedged and I will keep a copy of Thunderbird around.

Pepi
2007-03-08 08:59:11

I do use eMail encrpytion for many years now. Both GnuPG and S/MIME to be exact. I've been encouraging it's use since ever then and it's slowly gaining momentum regarding public interest in that matter. These days one has to enforce the right for privacy and encryption is the way to go!

For the german speaking audience:
There is a recent thread by myself over at the "Apfeltalk Forum" that covers that topic as well.
http://www.apfeltalk.de/forum/verwendest-email-verschluesselung-t70846.html
Best regards
Pepi

Tom DeGisi
2007-03-08 09:14:20

I used it with Outlook, and once I got the free key from Thwaite it was pretty easy to set up. But it dramatically slowed down not just my Outlook, but also the Outlook instances of all my co-workers to whom I sent email.

We did not like that, and I stopped using it.

Your analogy about postcards was pretty good, but these postcards are being delivered through pneumatic tubes, and you do have to do some technical work to see them. Something more difficult, I think, than steaming open and resealing an envelope. But it may be easier to keep secret than walking up to my mailbox, stealing my mail and then returning it.

Yours,
Tom

Mike
2007-03-08 10:51:56

"Do you use email encryption?"

No, I don't. I've got a PGP key imported, and the requisite boxes checked in KMail on a Linux install, but I don't use it. (IIRC, KMail uses PGP/MIME which Outlook/OE have problems with.)

I have compiled GPG and installed it on OS X in the past. I tried the Sente plug-in, but I don't really like using something that relies on a hack. I have also used GPG with GNUMail for OS X, which has a PGP bundle.

http://www.collaboration-world.com/gnumail

But I've nothing currently on OS X.

PGP/GPG would be more of a technological toy for me than a useful tool, since I don't need to email financial information or anything like that. Neither do I have any real need to establish my identity with a digital signature--the other main use.

It would still be great simply as a "technological toy", but the fact of the matter is most people I know are "non-technical" types and don't use PGP.

I haven't used S/MIME. The tutorial looks good, but I'm not going to download a certificate and have another means of doing something that almost no-one I know uses. But it's great for people who have that need. Business and public bodies would certainly have a use for it. In fact, they probably should be using this kind of thing more than they do. The same goes for whole-disk encryption: if your organization loses 3 to 4 laptops per month then the person who finds it had better not be able to look at sensitive information on them:

http://www.techdirt.com/articles/20070212/130314.shtml

Dave
2007-03-08 10:58:54

I'd like to encrypt mail from home to the office and back. I'd probably encrypt with family members too. But I have absolutely no idea how to do it. Or if I start doing it, how do people on the other end know how to decrypt it? The thought of teaching my family a new computer trick keeps me from even looking into it.

Joachim
2007-03-08 11:27:10

I started using this:

http://joar.com/certificates/

have to newnew the certificates every year but thats not a majore problem.
I'd really like to see more people use encryption

Steve
2007-03-08 13:24:34

I use encrypted e-mail at work. But we're told not to do it unless necessary because of the infrastructure/bandwidth changes. If you send a cleartext e-mail to a list of 10 recipients the message is uploaded to a mail router once and then distributed to each recipient through mail router to mail router data exchanges. If you send an encrypted e-mail to 10 recipients it is encrypted 10 separate ways and uploaded to the mail router 10 times.

Gary
2007-03-08 13:28:50

Ab, V qba'g hfr vg. Gbb zhpu unffyr... :-)

Billifer
2007-03-08 15:17:09

I use and prefer GPG, via the GPGMail plugin that others have mentioned. Unfortunately, most of the people I correspond with do not use any type of encryption or authentication so it's mostly a moot point. *Harrumph*

Also, I tend to prefer the 2.x version of GnuPG over the 1.4.x version, and GPGMail doesn't yet support it, which means I have to install both. I always compile my own gpg2 from SVN, but it seems like a waste of time to do so for 1.4.x.

Maybe one of these days I can finally convince my correspondents that other people really are reading their emails and that encryption is their friend too.

kugino
2007-03-09 01:23:07

GPGMail here...compiled from the source code. the only problem is that none of my friends or family members do encryption and they can't be bothered with adding encryption keys...so, i'm basically signing my emails but no real encryption is being done...

JJ
2007-03-09 03:06:47

Consider this: as you may know, standard email is sent along the Internet as plain text, so that anyone with access to one of the computers along which that email travels from sender to recipient could theoretically read what you're sending.

I understand the possibility here, but are there any documented cases of this actually happening?

The risk to me seems too small to be worth bothering about, aside from the obvious precaution of not sending bank details / credit card numbers via email.

Greg
2007-03-09 07:05:18

"Postcards" in the digital realm, envelopes in the real world. Where does this discrepancy come from?"

It comes from the fact that everyone knows how to open an envelope.

Chris
2007-03-09 11:11:02

I use S/MIME permanently since 3-4 years and 17 of my Contacts do it too. Formerly i've used PGP, but that's obsolte since S/MIME.
I prefer S/MIME, because it's really easy to use, there is nothing to install and it's supported by every mail-client.

Marcus
2007-03-10 08:44:11

I do use encryption in my emails. The problem is not that it is hard to use (because it is really easy) but that the recipients don't use it.

Jochen Wolters
2007-03-10 09:39:50

Wow, who would have thought that this subject would rake in so many interesting comments. Thanks a lot!

There are two recurring themes here: setting up secure email isn't all that easy, especially with GPG. And once you've set it up, you hardly use it, because only few of your contacts use encryption, too.

To help change the latter, I see three aspects that need to be addressed:

An easy-to-use and seamless UI for configuring and using secure email

Decent documentation, that not only covers the technical aspects, but also explains the principles and -- most importantly -- the benefits of using secure email

Creating awareness of secure email with non-geeks

So what's the status here?

UI: the UI for secure email in Mail and Address Book is very decent and absolutely seamless already -- good!

Documentation: well, at least we could contribute our share here with an extensive, up-to-date article on the MDC. ;)

Awareness: this is the big one. Let's hope that Apple will advertise the secure email features better with OS X 10.5 Leopard. All it takes is showing a short teaser window when configuring Mail.app, so that everyone setting up a Mac with the new OS will be made aware of this topic.

Hmmm, not too bad, really, but I daresay that the awareness bit is the biggest obstacle, so: if you have any further suggestions for evangelizing the use of secure email, let's hear 'em, especially if they qualify as "success stories!"

Oh, and thanks again for all the feedback you provided already!

Chris
2007-03-11 03:01:38

@@ Jochen Wolters
The only thing you need is just an valid Certificate for your emailadress. And this takes just a few minutes.

At least there are three simple ways to get one:
1. Request an certificate by an Certificate Authority. (Thawte, Trustcenter, Verisign, etc.)
2. .Mac-Users can get a certificate for the .Mac-Mailadress from Apple.
3. Create an Certificate via the Certifcate-Assitent, and spread it by yourself.

The only simpler solution could be, that Apple becomes a official Certificate Authority and offers every Mac-User to certificate there Mailaccounts. - But I don't believe that this will happens.

Chris
2007-03-11 05:56:15

Or:
4. Use a mailprovider that bids accounts with certificates. (such as web.de)

Helvécio Mafra
2007-03-11 19:28:03

I have been using encryption for a long time, since I read this tutorial on setting it up in mail:

http://joar.com/certificates/

The tutorial was first written in 2003, and I think I read it as soon as it came out.

Travis
2007-03-13 12:05:14

Any time I use OS X Mail with S/MIME digital signatures to email someone using Eudora 7.0.1 for Windows, they see a blank email and an attachment they can't open. This is almost certainly a bug in Eudora (don't know if it's fixed in later versions), but they blame me for it.

Email client support needs to improve before this will get adopted.

Francis Pressland
2007-03-15 17:46:50

Since the average Mac user will be unlikely to think of using a digital signature let alone encrypting their email, we have a lot of work to do if it is to catch on. First though we should separate out digital signing of email and encrypting email.

I can see an advantage to signing almost all email. For the recipient it gives a degree of certainty that the email is genuine, and the sender can use the signature as his or her own written one and emails become legal documents. Assuming the certificate is verified to a high degree by the Certificate Authority.

As far as encrypting email goes, this is more complicated. I can see the sense of encrypting an email with sensitive personal details, like Credit card details, Heath insurance forms or Tax returns. I can see that it may be a useful form of authentication when sending software or Photos to clients.

The "Postcard" analogy is on reflection not quite as good as it initially seems.

When we send a postcard, we know that the Postman will read it, indeed we expect him to do so, and the postcard will be displayed on the Wall at work or on the Mantle-piece at home for all and sundry to see. This is exactly what is intended.

We use an envelope primarily to keep the contents of the mail together and safe from the elements and to attach the address and postage stamp. Yes we expect the contents to be kept private, but anyone along the line could intercept the letter and steam it open to read.

When we send an email to one person, it is not opened until it gets to the recipients address. Generally speaking this email is not distributed around the office Yes I know there have been some interesting exceptions to this.

Although certainly not impossible, the chances of an email being read by the "postman" is not that high. Most of the time therefore simply signing the email will be enough thus authenticating the sender.

Encryption should in my very humble opinion be reserved for high priority emails only. The analogy is more like sending the letter with Securicor and armed guards than sending a letter in an envelope.

So I will be sending most of my email signed from now on, hopefully I will get asked what its all about, when I will have the opportunity to explain. For the last few days I've been sending signed email to my family, who all have macs and use "Mail". So far not one of them has commented. .

Jochen Wolters
2007-03-19 03:35:34

Full disclosure: Francis is a good friend of mine.

Francis:

As soon as users are aware what signing and encryption do, I'm sure they will also get a feel for what they should use when. The key, however, is to make the average user aware that this functionality exists at all.

Once they are, why shouldn't they encrypt literally every email they send if that is how they feel about the privacy of their email communication? And it works the other way, too: if you're educated about secure email, and you choose to not even encrypt bank account details, etc., then that is at least an informed decision.

Again, the key is to create a thorough awareness for secure email among users, and then provide a UI that makes using it as painless as possible.

As for the postcard analogy: when I used that, I had no idea that it would be dissected so thoroughly. But that dissection just goes to show that analogies are only helpful as long as you keep them simple and don't try to read too much into them. ;)

business loan
2007-11-19 06:09:39

One thing I’ll warn people about if they really get into using (S/MIME) encrypted e-mail is a “bug” in Tiger. In order to check the revocation information of the certificate, Tiger downloads CRLs into a local database for caching. Only problem is that it doesn’t clear this cache, and after a year (or so) of using certificates, it will appear that Mail is crawling. The solution to this is to run '/usr/bin/crlrefresh r p' on a “regular” basis. I have it in my /etc/weekly.local file because I use certificates so much, but it could probably go in monthly.local just as easily (or run manually from time to time).

[Ad link removed -- Ed.]

Jochen Wolters
2007-11-22 03:17:01

Thanks for pointing out this issue with S/MIME and, even more so, for including the appropriate cure. ;)

Dmitry
2007-11-22 13:19:08

I tried to use gpg for encrypting e-mails in Kmail and faced little problem in generating keys or sending encrypted e-mails.

There are still problems though.
First problem, well discussed above, is that no one actually uses encryption or has a public key.

Second, not discussed in previous posts, is that you need to *store* your private key somewhere. You will most likely need to know how to transfer it from computer to computer, how to not lost it when your Windows is re-installed, how to protect your storage from eavesdropping. Actually, I occasionally deleted my private key file and after that stopped using encryption at all.

My opinion is that e-mail is an obsolete technology. We should invent something else -- good, strong and convenient.

Jochen Wolters
2007-11-28 06:55:05

Dmitry

When using S/MIME on a Mac running OS X, the certificates (keys) are stored inside the user's keychain, which is stored in the [username]/Library/Keychains folder, so they are not affected if you re-install the operating system (as long as you don't format or exchange the hard drive, of course).

What's more, since these certificates are managed with the Keychain Access tool, exporting a specific certificate for use on another machine or for backup purposes is just a menu item away: select the desired certificate(s) and select Export Items from the File menu.

As for email being an obsolete technology, that's a statement I've heard often in recent years. I just wonder what people have in mind when they suggest that we need a replacement technology: would that focus on modifying the underlying architecture of how we create, route, and read emails today, or should the very way we use email be changed, as well?

Brendan
2008-07-12 16:05:38

I have used encryption in the past. It took too much time to set up. Nobody I knew used it. The key (or something) attached to emails as attachments, for those (everyone) who did not have encryption set up. Everyone kept on asking me what I attached and why they could not open it. It caused me too much labour explaining it to too many people who did not care.

I really want to use encryption for all my transactions, but it needs to be:

*Easy to use
*Not cause distress to email recipients (not being able to open my attachment)

It does not have to be:
*Very secure (the security of an "envelope" is better than a post card!

I have posted on thunderbird asking them why it is not integrated. Gmail might also be a good place to bug.

Brendan
2008-07-12 16:10:02

Email obsolete? It seem to be that email is about as obsolete as a car.

Jochen Wolters
2008-07-13 04:26:15

Brendan:

Once you've installed your personal certificate(s) via the Keychain Access utility, the support for secure emails in Mail.app is as seamless and easy-to-use as it gets, IMHO. Just click the Encrypt or Sign button, and when sending out your email, it is encrypted or signed, respectively.

Usually, the problem is less about the technological implementations than about convincing your contacts to also start using email encryption. And, yes, S/MIME will send your public key along with signed outgoing messages, which may confuse some people (encryption is only available if you have the recipient's public key in your keyring). If you want to avoid this, just make sure that the Sign button is _not_ clicked before you hit "send".

As for Thunderbird, that email client also has support for S/MIME built right in:

http://kb.mozillazine.org/Message_security

Sign up today to receive special discounts, product alerts, and news from O'Reilly.